Evidence of meeting #91 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site.) The winning word was emergencies.
A video is available from Parliament.
10:20 a.m.
Executive Director, Canadian Constitution Foundation
I would say that it also sounds like it would not build in any concept of proportionality to do anything specified in the order. I like it more than “do anything” or “refrain from doing anything”, but it sounds like it could also be quite unmoored.
10:20 a.m.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
The chair looks very generous today, so I'm going to ask one more question, if I may. Would you support establishing a list of factors that must be considered before an order can be issued?
I'll turn it over to you, Ms. Polsky.
10:20 a.m.
President, Privacy and Access Council of Canada
Yes, but who's going to create that list, and what are their motives?
10:20 a.m.
Executive Director, Canadian Constitution Foundation
Yes, assuming that broad consultation of stakeholders will precede that.
10:20 a.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
Thank you to the witnesses for giving their valuable time to be here with us on this study.
Mr. Shull, I liked your opening remarks. You cut to the chase, as they say. I appreciate that.
I've spoken to a few groups outside this committee, and most of them think that Bill C‑26 is a great step forward. Overall, they feel it's a good thing.
However, they have two key criticisms.
First, they are criticizing the fact that government is being given a great deal of power. This bill gives certain ministers the freedom to issue orders in council and interim orders, but it doesn't necessarily provide any details on that. We don't know how that might look.
Second, they find the sanctions too severe. You talked about tax incentives. If I'm not mistaken, rather than imposing sanctions, you're proposing that tax benefits or incentives be put in place for companies that would be required to set up a cybersecurity framework, for example. You look at the issue from another angle: We should make participation a little more voluntary, while ensuring compliance and making sure the information exchanged is protected.
Can you tell us a little more about that?
10:20 a.m.
Managing Director and General Counsel, Centre for International Governance Innovation
Mr. Chair, that's a great question.
What I'm talking about is small and medium-sized enterprises and protecting them, as opposed to critical infrastructure providers that are defined in the act. It allows you to take federal jurisdiction by using your tax power to protect the companies that make up the bulk of our economy. Critical infrastructure is super-important, because...well, it's critical, and if it goes down, people are going to know about it.
The problem we have is that many companies that are not critical infrastructure providers are being robbed through ransomware. Enough is enough, and a tax credit would provide that incentive.
It's a good question, Mr. Chair.
10:20 a.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
What would you suggest: Should we replace the sanctions with tax incentives or leave the sanctions in place?
10:20 a.m.
Managing Director and General Counsel, Centre for International Governance Innovation
I'd leave the sanctions in place. Your point is a good one. There's almost an internal inconsistency in the bill, because they say that the administrative monetary penalties are to encourage compliance, but those penalties can be up to $15 million a day. This is not meant to be punitive, but they can fine you $15 million a day. It sounds pretty punitive when you think about it that way.
All that is to say I would leave the penalty structure in place as currently defined for critical infrastructure providers. I would add on the incentive structure for small and medium-sized enterprises that do not fall within the statutory definition of critical infrastructure providers.
10:20 a.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
You're talking about small‑ and medium-sized enterprises. Some are afraid of the additional paperwork it might involve. As we know, cybersecurity is evolving very rapidly. If they have an incident, for example, they have to meet the deadlines for sharing the information with the government. This is all in addition to the security and confidentiality of the information. Businesses have concerns about that. However, I haven't been able to get many answers from the government to reassure them.
What do you think we should say to those companies? Are their concerns justified?
10:20 a.m.
Managing Director and General Counsel, Centre for International Governance Innovation
Again, it's a great question, Mr. Chair.
I'm personally a bit unconvinced by the regulatory burden argument. All the bill is saying is that if you work in critical infrastructure, you need to have a plan in place. You need to have a cybersecurity plan. The opposite of that is not having one, which is unsatisfactory. Then, if something happens, they have to report it. If they don't comply with that requirement, there's a penalty for not doing so.
While I appreciate that there is some regulatory burden, there is a lot of regulatory burden on businesses all over the place. In this one, you're providing a critical function in the economy and you need to have your crash helmet on. If not, there are consequences, because the role you're playing is just too important for it to be left alone.
10:25 a.m.
Liberal
10:25 a.m.
Conservative
Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON
Mr. Chair, could I interrupt?
I'm sorry, Mr. Julian. It's a very quick point of order.
I know that as members of Parliament, we're away from friends and family a lot, so I want to take this opportunity to wish Ms. Michaud a happy birthday today. I know she's here with us and I want to say happy birthday in public.
10:25 a.m.
A voice
As a special gift, we won't sing.
10:25 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
I'm going to take my four minutes. At the end, I think we should be singing to Madame Michaud. I'll hold that until four minutes from now.
Mr. Chair, I think we all had questions for Mr. Neiman and Mr. Holland, so I'm hoping we can have them back at committee. I know that's an additional expense because of the Conservative filibuster, but it's critical to get this legislation right. I appreciate the witnesses who've been able to answer our brief questions. We have many more questions to ask.
I want to come to Ms. Polsky and Ms. Baron.
You're part of the coalition that provided an excellent joint submission that talks about recommended remedies. There are 16 recommendations on how this committee can improve the legislation. They touch on a number of areas: “restraining ministerial powers”; “protecting confidential personal and business information”; “maximizing transparency”; “allowing special advocates to protect the public interest”; and “enhancing accountability for the [Communications Security Establishment]”.
Of the 16 recommendations, which are the most critical ones that we need to consider, or are they all part of a package—something vital to make sure this legislation does what it's intended to do but does it in a transparent way?
I'll start with Ms. Polsky.
February 1st, 2024 / 10:25 a.m.
President, Privacy and Access Council of Canada
Thank you. I think you hit on the key, transparency.
It's not a matter of one being more or less important than the other. They all have to be present for the legislation to be reasonable, fair and balanced, and for it to deserve the public's trust. They all have to be incorporated into legislation. It's as simple as that. Without all those components, there aren't the balance, reasonableness and proportionality that have to be there.
10:25 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
What I hear you saying is that the 16 recommendations are all interlinked. Without all of them, you and the coalition would not be prepared to support the legislation.
10:25 a.m.
President, Privacy and Access Council of Canada
The premise of the legislation is important, but there's an old saying: “You can't lose fast enough.” I think it's incumbent on us all to take the time and do it right—not do it over or have people suffer as a result of legislation that could have been done right in the first instance but is now perhaps being rushed through.
10:25 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you for that.
Mr. Baron, I have the same question for you.
Of the 16 recommendations, which are the ones you feel are most critical to get right in this legislation?
10:25 a.m.
Executive Director, Canadian Constitution Foundation
We've been discussing these various remedies for several years now—the civil liberties groups—and I agree with Ms. Polsky that I can't pick a favourite child. I would say that all the recommendations, overarching, have the same purpose of proportionality, privacy and checks on the exercise of unconstrained power. They go together as a package.
I couldn't single one out. If I did, it would be one that I have particular expertise in, but that doesn't mean it's the most important for the goal of cybersecurity, which we all agree is an absolute imperative.
10:25 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you. My question was more on what is absolutely critical. Where is there a line in the sand in terms of ensuring this legislation is right? What I hear both of you saying is that all of the recommendations are critical. I thank you for that.
My four minutes are up, but I think I would join the rest of the members in singing Happy Birthday to Ms. Michaud.
